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Consider the following propositions (where "D" represents implication): 

Vx. Vy.edge(x,y) D edge(y,x) 
Vx. Vy.edge(:r, y) D path(x,y) 
Vx.Vy.Vz. edge(x,y) D path(y, z) D path(x, z) 

One way to think of these propositions is as rules in a bottom-up logic program. 
This gives them an operational meaning: given some known set of facts, a bottom- 
up logic program uses rules to derive more facts. If we start with the single fact 
edge(a, b), we can derive edge(b, a) by using the first rule (taking x — a and y = b), 
and then, using this new fact, we can derive path(b,a) by using the second rule 
(taking x — b and y = a). Finally, from the original edge(a, b) fact and the new 
path(b, a) fact, we can derive path(a,a) using the third rule (taking x — a, y = b, 
and z = a). Once the only new facts we can derive are facts we already know, 
we say we have reached saturation — this will happen in our example when we 
have derived edge(a,b), edge(b, a), path(a,b), path(b, a), path(a,a), and path(b, b). 
Bottom-up logic programming is a very simple and intuitive kind of reasoning, and 
it has also shown to be an elegant and powerful way of declaratively specifying and 
efficiently solving many computational problems, especially in the field of program 
analysis (see [Whaley et al. 2005] for a number of references). 

Next, consider the following proposition: 

Vx. Wy. path(x, y) D ^edge(x,y) D noedge(x,y) 

Intuition says that this is a meaningful statement. In our example above, we can 
derive path(a,a), but we can't possibly derive edge(a,a), so we should be able to 
conclude noedge(a,a). A bottom-up logic programming semantics based on strati- 
fied negation verifies this intuition [Przymusinski 1988]. In a stratified logic program 
made up of the four previous rules, we can derive all the consequences of the first 
three rules until saturation is reached. At this point, we know everything there 
is to know about facts of the form edge(X,Y) and path(A, Y). When considering 
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the negated premise ^edge(x , y) in the fourth rule, we simply check the saturated 
database and conclude that the premise holds if the fact does not appear in the 
database. 

Stratified negation would, however, disallow the addition of the following rule as 
paradoxical or contradictory: 

Vx.Vy. path(x, y) D ^edge(x,y) D edge(x,y) 

Why is this rule problematic? Operationally, the procedure we used for stratified 
negation no longer really makes sense: we reach saturation, then conclude that 
there was no way to prove edge(a,a), then use that conclusion to prove edge(a,a). 
But we had just concluded that it wasn't provable! Stratified negation ensures that 
we never use the fact that there is no proof of A to come up with a proof of A, 
either directly or indirectly. However, stratified negation is an odd property: the 
program consisting of the single rule ^propl D prop2 is stratified (we consider propl 
first, and then we consider prop2), and the program consisting of the single rule 
^prop2 D propl is also stratified (we consider prop2 first, and then we consider 
propl), but the two rules cannot be combined as a single stratified logic program. 

In part due to this non-compositional nature, stratified negation in logic pro- 
gramming has thus far eluded a treatment by the tools of structural proof theory. 
Instead, justifications of negation in logic programming have universally been of 
a classical nature based on the assignment of truth values (Boolean, three-valued, 
or otherwise) to atomic propositions. In this paper, we take a first step towards 
a structurally proof-theoretic justification of stratified negation in which compu- 
tation is understood as proof search for uniform (or focused) proofs [Miller et al. 
1991; Andreoli 1992]. The logic that we present has strong ties to GL, the Godel- 
Lob logic of provability [Vcrbruggc 2010], 1 and we therefore call it constructive 
provability logic. This connection in our intuitionistic setting was anticipated by 
Gabbay [1991], who showed that GL was a natural choice for justifying negation 
in a classical, model-theoretic account of logic programming. 

Outline 

Logic programming is our primary motivation, but this article will mostly focus 
on constructive provability logic as a logic. In Section 1, we develop the ideas 
behind constructive provability logic. There are two natural variants of constructive 
provability logic with different properties. The "tethered" variant of constructive 
provability logic, CPL, is discussed in Section 2. The "de-tethered" variant of 
constructive provability logic, CPL*, is discussed in Section 3, and in Section 4 
we sketch the use of CPL* as a logic programming language. In Section 5 we 
consider the relationship between this logic and classical Hilbert-style presentations 
of provability logic, and we conclude in Section 6. 

In the course of this paper we will give both natural deduction and sequent cal- 
culus presentations of CPL and CPL*, and show that, for each logic, the natural 
deduction and sequent calculus presentations are equivalent at the level of prov- 
ability. Natural deduction presentations are the most typical way of thinking about 
proofs and their reductions. Sequent calculus presentations, on the other hand, are 



X GL is also known variously in the literature as G, L, Pr, PrL, KW, and K4W. 
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more useful for proving negative statements about the logic (i.e. that a certain fact 
is not provable); such statements come up frequently in the way we use constructive 
provability logic. 

1. A JUDGMENTAL RECONSTRUCTION OF PROVABILITY LOGIC 

In this section we provide a very brief introduction to the judgmental methodology 
that informs our development of constructive provability logic. Our presentation 
is consistent with Pfenning and Davies' judgmental reconstruction of modal logic 
[Pfenning and Davies 2001], which in turn follows Martin Lof's 1983 Siena Lectures 
[Martin-L6f 1996]. 

The key concept behind the judgmental methodology is the separation between 
propositions (written A,B, etc.) and judgments J. A proposition is a syntactic 
object that is built up from atomic propositions using propositional connectives such 
as implication and conjunction. Judgments are proved through rules of inference. 
Thus, we can talk about proving the judgment A true or the judgment A false. It 
is not meaningful to talk about "proving A" except as a shorthand way of talking 
about proving the judgment A true. 

When proving a particular judgment, one should be able to reason from hypothe- 
ses. To this end, the concept of an hypothetical judgment, written J\, . . . , J n h J, 
comes into play. The conventional interpretation of such a hypothetical judgment is 
that J has a proof under the assumptions that J\ through J„ also have proofs. How- 
ever, the meaning of a hypothetical judgment is not given to us a priori. Rather, 
we define the meaning of a hypothetical judgment by defining (1) a hypothesis 
principle, (2) a generalized weakening principle, and a (3) substitution principle. 
These principles arise from the understanding of what a given hypothetical judg- 
ment should mean. The hypothesis principle defines how hypothetical assumptions 
are used. The generalized weakening principle defines primitive operations on hy- 
pothetical assumptions that do not change the meaning of a judgment (e.g. "the 
order in which we write assumptions does not matter" , "all assumptions need not 
be used in a proof" ) . Finally, the substitution principle defines the conditions under 
which reasoning through lemmas is justified. 

Plain-vanilla intuitionistic logic is one of the so-called structural logics, and as a 
structural logic its defining principles are simple and standard: 

Defining principles of plain-vanilla intuitionistic logic: 
— Hypothesis principle: If A true G ^P, then \l/ h A true. 

— Generalized weakening principle: If <]/ C \P' and $hj4 true, then f'hi true. 
— Substitution principle: If ^ h A true and A true h C true, then f hC true. 

These principles have an interesting character. While they are, in some sense, 
the last thing we need to consider when defining a logic (i.e. after defining the logic, 
they are theorems we need to prove about the system), the judgmental methodology 
tells us that these principles are also the first things that need to be considered. 
Philosophically, this arises from the fact that these principles flow from our un- 
derstanding of the meaning of the hypothetical judgment. More pragmatically, 
generalized weakening and substitution are necessary as we perform sanity checks 
on the rules that define individual connectives. 
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1.1 Natural deduction in the judgmental methodology 

The judgmental methodology is generally played out in the setting of natural de- 
duction. In natural deduction, the meaning of a logical connective is given by two 
sets of rules: the introduction rules, stating how we can come to know (that is, 
prove) of the truth of that connective, and the elimination rules, defining how we 
can use the knowledge (that is, the proof) of that proposition's truth. For instance, 
implication A D B is defined by one introduction rule Dl and one elimination rule 
DE: 

1>, A true b B true g \- A D B true ^ b A true 

* b A D B true $hB true 

In natural deduction, the sanity checks that we perform on a definition like this 
are called local soundness and local completeness. Local soundness ensures that 
the introduction rules are strong enough with respect to the elimination rules, 
whereas local completeness ensures that the introduction rules are not too strong 
with respect to the elimination rules. 

Local soundness. Consider a proof T> of the judgment $ h C true where the 
last rule is an elimination rule (in the case for implication, the elimination rule is 
DE and so we have two subproofs, one of ^ b A D C true - call it D\ - and 
another of f h 4 true - call it T)^). Since the rule is an elimination rule, it is 
necessarily the case that one of the subproofs mentions the relevant connective 
(in the case for implication, the first sub-proof T>\ mentions the connective) . Local 
soundness is the property that, if the last rule in the connective- mentioning premise 
is an introduction rule, then both the introduction rule and the elimination arc 
unnecessary. To show this, we build a proof of W b C true using only the premises of 
the introduction rule and any other premises of the elimination rule. In our example 
with implication, we can obtain this new proof by appealing to the substitution 
principle for the subproofs labeled V 2 and T>' x : 

V[ 

y,u: A true b C true ^ £> 2 [V 2 /u]V[ 

* b A D C true * b A true = ^ >R * b C true 

* b C true ~ )E 

Note that, following standard conventions, we gave the label u to the premise A true 
in the hypothetical judgment to make it clear what we were substituting for. 

Local completeness. Where local soundness is witnessed by a proof reduction, 
local completeness is witnessed by a proof expansion: given an arbitrary proof 
of the truth of connective we are interested in, we show that by applying the 
elimination rules and then applying the introduction rules we can reconstruct the 
initial proof. In the expansion below, we obtain V by applying the generalized 
weakening principle to the given proof V: 

hyp 

T> ty,A true b A D B true ^, A true b A true 

^ _ : ~2>E 

* b A D B true E $>,A true b B true 

* b Ad B true ~ >I 
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We also used the hypothesis principle in the above example: in natural deduction 
systems, the hypothesis principle always holds trivially due the presence of the rule 
we labeled hyp. 

1.2 Reflection over an accessibility relation 

Having reviewed the judgmental methodology, we will now perform a sort of warm- 
up exercise to introduce the idea of definitional reflection in the presentation of 
a logic [Schroeder-Heister 1993]. This warm-up logic, which we name DML (for 
"Definitional Modal Logic"), is recognizably similar to IK, the intuitionistic Kripke 
semantics for modal logic presented by Simpson [1994]. 

Kripke semantics for modal logic are characterized by worlds and an accessibility 
relation that describes the relationship between worlds. We will use as a running 
example an accessibility relation with three worlds, a, ft, and 7, such that a ~< /3 
(we say "/3 is accessible from a"), a -< 7, and (3 -< 7. 



The proof theory of DML is parametrized over an arbitrary accessibility relation; 
the three-world accessibility relation above is only one possible example. The hypo- 
thetical judgment for this logic takes the form Ai[wi} 7 . . . , ^4„[u>„] h C[w], where C 
and the Ai are propositions and w and the Wi are worlds. DML is also a structural 
logic, so its judgmental principles are straightforward: 

Defining principles o/DML: 

— Hypothesis principle: If A[w] € T, then T h A[w}. 

— Generalized weakening principle: If T C T' and r h l[ro], then V h A[w]. 
— Substitution principle: If T h A[w] and T, A[w] h C[zz/], then T h C[io']. 

In DML, as in Simpson's IK, worlds and the accessibility relation are critical to 
the definition of the modal operators. Consider the definition of modal possibility, 
<>A. The Kripke interpretation of modal possibility is that OA is true at world w 
if there exists some accessible world w' where A is true. The introduction rule for 
modal possibility directly reflects this interpretation: 

w<w' TV- A[w'\ 



r h oa[w] 
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The elimination rule for modal possibility is where the use of definitional reflection 
becomes important. If we can prove that OA is true at the world w, we can use 
case analysis over the pre-defined accessibility relation to look up all the worlds w' 
such that w ~< w' holds; for each such w', we must prove the ultimate conclusion 
using the additional hypothesis A[w']. This is expressed by the following inference 
rule: 

r h OA[w] Vw'. w -< w' — -> T, A[w'} h C[w"} 

r - c ^ OE 

In our aforementioned example, there are two worlds w' such that a -< w' holds. 
Therefore, to eliminate a proof of OA[a], we must consider the case where A holds 
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at world /3 and the case where A holds at world 7. Similarly, because there are zero 
worlds w' such that 7 ~< w' holds, a proof of OA [7] is contradictory and can be 
used to prove anything at all. These two derivable special cases of the possibility 
elimination rule can be written as follows: 

r h oA[a] r, A[(3] h c[w"] r, a[j] h c[w"] rhOA[ 7 ] ^ 

r h c[w"] ° ha r h c[w"] 7 



This elimination rule is what makes DML strikingly different, and seemingly 
stronger, than Simpson's IK. In IK, it would not be possible to prove • h OA D 
J- [7], but in DML this is a simple use of the Dl and OE 1 rules. This strength 
comes at a price, of course. Any reasoning in IK is valid in a larger accessibility 
relation, but in DML, the aforementioned hypothetical judgment • h OA D ±[7] 
would no longer be valid if the accessibility relation was made larger in certain ways 
(for example, by making 7 accessible from itself). 

It is possible, at least in this simple case, to see OE as merely a rule schema 
that, once given an accessibility relation, stamps out an appropriate number of 
rules. However, as suggested by Zcilberger [2008], it is more auspicious to take this 
higher-order formulation of definitional reflection at face value: the second premise 
of the OE rule is actually a (meta-level) mapping - a function - from facts about 
the accessibility relation to derivations. This interpretation becomes relevant when 
we discuss local soundness. 

To show local soundness, we use functional application to discharge the higher- 
order premises, so that {T>2 w' A\) below is a derivation of the hypothetical judg- 
ment T, u : A[w'] h C[w"]. 

w -<uf TV- A\w'\ T>n 

— - OT 

T h OA[w'} Vw*.w w* — y r, u : A[w*} h C[w"} 

r h c[w"] ^ E 

[D[/u}(V 2 w' Ax) 

^ R r h c[w"] 

Local completeness is a bit difficult to write clearly in the traditional two- 
dimensional notation used for proofs. It begins like this: 

D ??? 

v rh oa\w] Vw'.w ^w'^>r, a\w'} h oa\ w ] 
rh ^N E U tFoan ° E 

We discharge the remaining proof obligation marked 111 above with a lemma: we 
must prove that for all w' , w -< w' implies r,A[w/] h If we label the 

given premise w ~< w' as A, this fact is be established by the following schematic 
derivation: 

w -< w' T,A[w'] h A[w'] hyP 
T,A[w'] h OA[w] OI 

This proves our lemma, which in turn suffices to show local completeness for modal 
possibility, ending our discussion of the system DML. 
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1.3 Reflection over provability 

The system DML was just a warm-up that introduced reflection over the definition 
of an accessibility relation. We will now introduce constructive provability logic by 
additionally using reflection over provability. In DML, a proof of 0^4[w] allows us 
to assume (by the addition of a new hypothetical assumption) that A is true at one 
of the worlds w' accessible from w; if there is no such world w', the assumption is 
contradictory. In constructive provability logic, a proof of OA[w] will allow us to 
assume that A is provable given the current set of hypotheses at one of the worlds 
w' accessible from w. If A is not currently provable at some world w' accessible 
from w, the assumption is contradictory. 

As a specific example, if Q is an arbitrary atomic proposition, _L is the proposi- 
tion representing falsehood, and we use the accessibility relation from the previous 
section, then in constructive provability logic we can prove OQ[a] b _L[a] by the 
use of reflection over logical provability. It is possible to show, using techniques 
that we will introduce later, that there is no proof of OQ[a] b Q[0\ and no proof 
of 0<2[a] b Q[j]. This, in turn, allows us to conclude that asserting that Q is 
currently provable at one of the worlds w' accessible from a is contradictory. The 
same judgment OQ[a] b _L[a] would not have been provable in DML. In order to 
use a proof of OQ[a] in DML, we would have to prove both OQ[a],Q[/3] b _L[a] 
and OQ[a],Q[j] b _L[a], and neither of these hypothetical judgments are, in fact, 
provable. 

1.3.1 The weakening principle for constructive provability logic. The discussion 
above is enough to make it clear that the generalized weakening principle from 
DML will not be acceptable for constructive provability logic. In DML, the weak- 
ening principle asserts that, if we can prove T b -L[a], then we can always also 
prove r,Q[/3] b J- [a]. Compare this to the previous discussion where we counted 
on there being no proof of the hypothetical judgment OQ[a] b Q[f3\. If we weaken 
the context with the additional judgment Q[(3], we get a hypothetical judgment 
0<2[a], Q[j3] b Q[j3] that is provable, invalidating our reasoning. 

This illustrates that constructive provability logic must avoid some forms of weak- 
ening. To this end, we define a new partial order on contexts that is indexed by a 
world w, written as T C w T' . This relation holds exactly when: 

—For all w' such that w ^* to', A[w'\ £ T implies A[w'\ G T', and 
—For all w' such that w ^+ w', A[w'] e r" implies A[w'] e T. 

Here, w ~<* to' is the reflexive and transitive closure of the accessibility relation and 
w -<+ w' is the transitive closure of the accessibility relation. This indexed subset 
relation C. w acts like the normal subset relation when dealing with judgments 
but for assumptions at worlds A[w'] where w' is transitively accessible from w, only 
contraction and exchange are allowed. Assumptions A[w'] where w' is neither equal 
to w nor transitively accessible from w are completely unconstrained and can be 
added or removed without restriction. 

With our new partial order, we can present two of the defining principles of 
constructive provability logic. 
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Partial defining principles of constructive provability logic: 
— Hypothesis principle: If A[w] € T, then T h A[w}. 

— Generalized weakening principle: If T C w T' and T h .A [to], then T' h A[u>]. 

We omit the substitution principle for now, because it is different in the two different 
variants of constructive provability logic that we present in this paper. 

1.3.2 Restrictions on accessibility relations and the form of rules. Reflection 
over provability must be done with care. It would be logically inconsistent to modify 
our previous elimination rule for modal possibility by turning the hypothesis A[w'} 
into a higher-order assumption T h A[w'] like this: 



r h oa[w] VuA w^'^rh A[ w '] — -> r h c[w"] 

r h c[w"] 0jB6a<i 

This definition can lead to logical inconsistency because the hypothetical judgment 
r h j4[w'] occurs to the left of an arrow in a rule that is ostensibly defining the hypo- 
thetical judgment. In DML this was no issue: we stipulated that the accessibility 
relation was definable independently from the hypothetical judgment. 

To make the definition of constructive provability logic well-formed, we take 
the position that the hypothetical judgment T h A[w] is defined one world at a 
time. If we then restrict the accessibility relation so that it is converse well-founded 
(irrcflexivc, no cycles or infinite ascending chains), when w -< w', then we can hope 
to define T h A[w'\ before T h A[w] in the same way we defined the accessibility 
relation w -< w' before V h A[w] in DML. 

If we are trying to define provability one world at a time, the problem with OE^d 
is the relationship (or lack thereof) between T h A[u>'], which we are reflecting 
over, and T h C[w"], which we are defining. To fix this, we must ensure that w' 
is accessible from w" in one or more steps, and therefore defined before w" . There 
are two obvious ways to do this, which give rise to the two variants of constructive 
provability logic, CPL and CPL*. 

1.3.3 Tethered constructive provability logic. Because w -< w' , the simplest so- 
lution is to force w to be equal to w" ; this results in the following "tethered" (in 
the sense that the world in the premise is tethered to the conclusion C[w]) 
rule for modal possibility: 

r h oa[w] \/w'. w^'^rh A[w'\ — -> r h c[w] 

We call this tethered version of constructive provability logic CPL, and show the 
rules for modal necessity to be locally sound and complete in Section 2. 

1.3.4 De-tethered constructive provability logic. The tethered proof theory of 
CPL can be viewed as unnecessarily restrictive. To fix the inconsistent left rule 
OEbad , all that is really necessary according to the discussion above is for provability 
at w' to be defined before provability at w" . We can "de-tether" the logic somewhat 
by allowing both the case where w is the same as w" and the case where w is 
transitively accessible from w" (this is achieved by adding a premise w" -<* w). This 
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is sufficient to ensure that w' will be transitively accessible from w" (w" -< + «/), 
ensuring that provability at w' will be defined before provability at w" as required. 
The de-tethered elimination rule for modal possibility in constructive provability 
logic looks like this: 

w" ^* w r F OA[w] Vw'. w ~< w' — > T F A[w'} — > T F C[w"] 

r f CK1 0i?CPL * 

We call the de-tethered variant of constructive provability logic CPL*. To distin- 
guish the two similar logics, in the subsequent discussion we will write the hypo- 
thetical judgment for CPL as T h A[w] and write the hypothetical judgment for 
CPL* as T F A[w]. 

1.4 A note on formalization 

Both variants of constructive provability logic and their metatheory have been 
formalized in the Agda proof assistant, an implementation of the constructive type 
theory of Martin Lof [Norell 2007]. This development is available from https: 
//gitlmb . com/robsimmons/agda-lib/tree/ cpl. 

With two exceptions, all of the results in this paper arc fully verified by Agda. 
The most significant exception is that Agda cannot verify that rules such as Oi?cPL 
and 0£?cpl* above avoid logical inconsistency. This is because Agda's positivity 
checker, which ensures that data-types are not self-referential, does not understand 
the critical relationship between the logical rules and the converse well-founded 
accessibility relation. The result is that the positivity checker must be disabled 
when we encode the definitions of CPL and CPL*. This issue is discussed further 
in the technical report along with potential resolutions [Simmons and Toninho 
2010]. One key point is that any finite accessibility relation can be instantiated 
without running afoul of the positivity issue, so we can restrict any concerns to 
instantiations of constructive provability logic with infinite converse well-founded 
accessibility relations. 

The second issue is that, due to the complexity of the de-tethered cut admis- 
sibility proof, Agda runs out of memory and crashes when attempting to verify 
that this proof terminates. Therefore, we must turn off the termination checker 
when dealing with this proof. Arguably, this shortcoming is due to the fact that 
Agda does not allow the user to specify an induction metric - rather, it synthesizes 
all possible induction metrics and then checks them. However, we can state an 
induction metric and verify by hand that this induction metric is obeyed in the 
proof. 

2. CPL, TETHERED CONSTRUCTIVE PROVABILITY LOGIC 

In this section, we will present the defining principles, natural deduction, and se- 
quent calculus for the tethered variant of constructive provability logic, CPL. Mir- 
roring the tethered presentation of rules outlined in Section 1.3.3, the substitution 
principle in CPL is tethered: the hypothesis being discharged, A[w], is at the same 
world as the consequent C[w\. 

Defining principles of CPL; 

— Hypothesis principle: If A[w] £ T, then T h A[w}. 
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r h ±[ w ] 

hyp — — — — — ±E 



r, A[w] h ah " r h c[w] 

r, ah h b[w] r h a 3 b[i»] r h ah 
r h a 5 bh 3/ r h b[»] ;i 

w <w' r h AHi Vtu'. iu -< tu' — ► r h a Hi 

OJ — 77-, 



OE 



OE 



r h oah r i- da 

r h oah Viu'. u> -< tu' — ► r h AH] — >rh c*H 
tTch 

r h dah (Viu'. w -( tu' — >rh AHD — > r h ch 
r h ch 

Fig. 1. Intuitionistic CPL natural deduction 

— Generalized weakening principle: If T r' and T h then T' h 

— Substitution principle: If T h A[w] and r, A[w] h C[w], then T h C[w]. 

The natural deduction rules for CPL are presented in Fig. 1. Implication, atomic 
propositions and falsehood are defined as per usual in natural deduction presenta- 
tions of logic. The introduction rule for modal possibility is visually the same as 
the rule from DML, and the elimination rule was presented in Section 1.3.3, but 
we have yet to show these rules locally sound and complete. Local soundness is 
witnessed by the following reduction; as in the local soundness proof for possibility 
in DML, the higher-order proof T> 3 is used as a function - we apply it to w', Ai, 
and T>2 in order to obtain the necessary proof: 

Ai X> 2 

W X w' T h A[w'] £> 3 

r h oa[w] OJ Vw'.w -< w' — r h A[w'] — -> r h c[w] 



r h c[w] 



OE 

V 3 w' Ai V 2 
>R TV- C[w] 



Local completeness also holds for modal possibility, although the expansion that 
witnesses the property is somewhat surprising: 

L 1 r h oa[w] 

We expand a proof of OA[w] by applying OE to the given derivation and to the 
actual rule of OI. The higher-order premise for OE for this proof requires us to 
prove the following meta-theorem: "If w ~< w' and T h A[w'] then T h OA[jii]." 
This theorem is immediately true by application of the OI rule to the assumptions. 

All that remains is a discussion of modal necessity. Whereas modal possibility 
has an existential character (there exists some accessible world where A is true), 
modal necessity has a universal character (at every accessible world, A is true) . We 
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conclude OA at world w if we can show that for all worlds w' that are accessible 
from w, A is provable at w'; this is reflected in the □/ rule. 

The universal character of modal necessity would suggest that we can use a proof 
of DA[w] by exhibiting a world w' accessible from w and then assuming that A was 
provable there. 

r h oa[w] w^w' r h A[ w '] — -> r h c[w] 



r h c[w] 



OE' 



Surprisingly, this rule is locally sound but not locally complete in the presence of po- 
tentially infinite accessibility relations (consider an infinitely branching accessibility 
relation - this would require infinite applications of OE' in order to obtain enough 
to information to re-apply □/), so CPL uses a less intuitive third-order formulation 
of OE shown in Fig. 1. The more intuitive rule is nevertheless derivable from the 
actual OE rule, and the third-order formulation of the rule is derivable from OE' 
under the assumption that we can finitely enumerate the worlds accessible from 
any world (this is established in the file AltBoxE . agda in the Agda development) . 

As per usual in our development, we show our rules to be locally sound, as 
witnessed by the following reduction: 

Vw'.w -<w' — >T\- A[w'] x> 2 

r h OA[w] DI (Vw'.w ^ra'^Th A[w']) — > T h C[w] 

v 2 v x 
r h cm 

Local completeness for modal necessity is the same as it was for modal possibility; 
the second premise of the OE rule essentially restates the □/ rule. 

Having shown our system to be locally sound and complete, we must now circle 
back around to show that the judgmental principles hold: 

Theorem 1 Metatheory of CPL natural deduction. 

— Hypothesis principle: If A[w] <G T, then T h A[w]. 

— Generalized weakening principle: IfT C w V' and T h A[w], then V h A[w]. 
— Substitution principle: IfTh A[w) and T,A[w] h C[w], then T h C[w}. 

Proof. The hypothesis principle follows immediately from the rule hyp. The 
generalized weakening principle is established by structural induction on given 
derivation, and the substitution principle is established by structural induc- 
tion on the second given derivation r, A[w] h C[w]. Both proofs appear in 
Tether edCPL/NatDeduct ion. agda in the Agda development. □ 

2.1 Sequent calculus 

Often we want to be able to show that a judgment is not provable in a logic 
(for instance, we better not be able to derive the judgment • h -L[w], which would 
represent a closed contradiction). While natural deduction is a canonical way of 
thinking about proofs, it is not very useful as a tool for proving such negative 
statements about logic. This is largely because natural deduction does not obey the 
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±[w] 6 r 

— — - init (Q is an atomic proposition) — - _|_L 

r,QH => Q[ w ] w ; r=>c[w] 

r, A[w] => s[iu] a d B[t»] e r r => ah r, b[»] => c[»] 
r^iD b[w] DR r cm 3L 

uj -<; u)' r => i4[tu'] Viu'. u> -< w' — ► T => A[wj'] 

r => oa[w] oi? r => nA[w] nR 

oa[w] 6 r vto'. w -< tu' — ► r => A[u>'] — > r => c[»] 

r c[w] OL 

□ah e r (W. w -< w' — ► r => AH]) — ► r => c*H 

r — — 

Fig. 2. Sequent calculus for intuitionistic CPL 

so-called sub-formula property (all judgments in a proof refer only to sub-formulas 
of the propositions present in the initial judgment). A sequent calculus system, on 
the other hand, obeys the sub-formula property and therefore allows us to prove 
negative statements about a logic by refutation: we assume the sequent is provable 
and, by case analysis on the structure of the derivation, derive a contradiction. The 
sequent calculus for CPL is given in Fig. 2. 

Even though sequent calculus systems arc structured quite differently than nat- 
ural deduction systems, we can (and must!) establish the admissibility of the same 
defining principles. 

Theorem 2 Metatheory of the CPL sequent calculus. 

— Hypothesis principle: If A[uij\ £ T, then T =>■ 

— Generalized weakening principle: IfT C w T' and T A[w], then V =>■ A[w]. 
— Substitution principle: IfT=> A[w] and F, A[w] => C[w], then T => C[w]. 

PROOF. The hypothesis principle is established by structural induction on the 
proposition A, and the generalized weakening principle is established by structural 
induction on the given derivation. The substitution principle is proved by lexico- 
graphic induction, primarily on the structure of the proposition A and secondarily 
on the structures of both given derivations: if the proposition A stays the same, 
then either the first derivation gets smaller and the second stays the same or the 
second derivation gets smaller and the first stays the same. All proofs appear in 
TetheredCPL/Sequent . agda in the Agda development. □ 

In sequent calculi, the hypothesis principle is frequently called identity admissibility 
and the substitution principle is frequently called cut admissibility. The admissi- 
bility of cut and identity establish the global analogues of local soundness and 
completeness, respectively. 

By presenting a sequent calculus system as a convenient way of establishing 
non-provability of hypothetical judgments in a natural deduction system, we have 
presupposed that the two presentations are equivalent. Luckily, we were right: 

Theorem 3 Equivalence, r h A[w] if and only ifT=> A[w}. 
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w' <* w r p- ±{w] 
r, ah f 6 - ah Am) r f CK] ±b 

T,A[w]^ B[w] T^ADB[w] tfah 

r f a 5 bh 37 r f %j DE 

iu -< tu' r r A[«)'] Vw'.w <w' — ► r ^ A[w>] 
r f oah 0/ r da[w] " ~ D/ 

w" -<* w r f oah Viu'. iu -< w' — > r f ah'] — > r f ch"] 
r r c[w"} 

w" -<* w r F DAH (W. iu -< w' — >TF AH']) — > T f C[w"' 

r - c ^ 

Fig. 3. Intuitionistic CPL* natural deduction 

Proof. Both directions must be proved simultaneously, primarily by induction 
on the accessibility relation and secondarily by structural induction on the given 
derivation. The defining principles of the sequent calculus presentation (Theo- 
rem 2) are used in the forward direction, and the defining principles of the natural 
deduction presentation (Theorem 1) are used in the backward direction. The proof 
appears in Tether edCPL/Equi v . agda in the Agda development. □ 



OE 
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2.2 Example 

We now formalize the example that motivated Section 1.3, showing that the sequent 
OQ[a] _L[a] is derivable (and by the equivalence of natural deduction and sequent 
calculus, that OQ[o;] h _L[a] is derivable). The last rule in our proof will be OL: 

£ 

\/w'. a<w' — > <>Q[a} => Q[w'] — > OQ[a] => J. [a] 

OQ[a] => i-[a] <>L 

Therefore, it suffices to show that for all w' accessible from a, OQ[a) Q[w'} 
implies OQ[a] =>■ _L[a]. In this running example, there are two worlds /3 and 7 
accessible from a, so we must show that 0(5[a] Q[f3] implies OQ[o:] =>■ _L[a] and 
that OQ[o;] => Q[y] implies OQ[a] ±{a\. The reasoning in both cases is exactly 
the same; we'll prove only the first here. 

The way we prove that OQ[a] Q[0\ implies OQ[a] =>■ -L[a] is to prove that 
there is no proof of OQ[a] Q[/3], which means that the implication holds vacu- 
ously. To prove this, we assume 0<5[a] =>• Q[j3] is derivable. The only possible rule 
that could potentially allow us to conclude this sequent is OL, since there is no 
Q[P] in the context in order to apply the init rule. However, since the worlds a and 
P do not match, the rule does not apply and the sequent is not provable. 



3. CPL*, DE-TETHERED CONSTRUCTIVE PROVABILITY LOGIC 

The natural deduction rules for CPL* are presented in Figure 3. The only dif- 
ference from the corresponding rules of the previous section is that we no longer 
restrict the conclusion of elimination rules to be at the world w of the judgment 
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we are eliminating, instead allowing it to be at a world w", provided that w" -<* w 
(an exception is DE, since the rule does not mention an arbitrary proposition C). 

The proofs of local soundness and completeness are analogous to the ones dis- 
cussed in the previous section; the substitution principle is de-tethered in the same 
way that the elimination rules are. 

Theorem 4 Metatheory of CPL* natural deduction. 

— Hypothesis principle: If A[w] € T, then T F A[w\. 

— Generalized weakening principle: IfT Q w T' and T F then V F A[w]. 

— Substitution principle: If w' ^* w, rF4[w], and T,A[w]? L C[w'], then 
r F C[w'). 

PROOF. The hypothesis principle again follows immediately from the rule hyp. 
The generalized weakening principle is established by a primary induction on the 
accessibility relation and a secondary structural induction on the given derivation. 
The substitution principle is established by a primary induction on the accessibility 
relation and then a secondary structural induction on the second given derivation 
T, A[w] F C[w']. Both proofs appear in DetetheredCPL/NatDeduction. agda in the 
Agda development. □ 

3.1 Focused sequent calculus 

The sequent calculus formulation of CPL is convenient for establishing very sim- 
ple properties of provability and non-provability, and it is possible to give a very 
similar sequent calculus for CPL* [Simmons and Toninho 2011]. However, because 
we wish to consider CPL* as the basis of a logic programming language, we fol- 
low Andreoli [1992] in developing a much more restricted focused sequent calculus. 
Unlike Andreoli, we use an explicitly polarized version of our logic. 

Propositions in a polarized presentation of logic are split into two syntactic cate- 
gories, positive propositions A + and negative propositions A~ . A full discussion of 
polarity assignment for connectives is outside the scope of this article; as a rule of 
thumb, the positive connectives are those with large eliminations. An elimination is 
large when the proposition whose truth is established by an elimination rule is some 
proposition C with no immediate connection to the proposition being eliminated; 
this indicates that _L, OA, and UA are positive connectives and A D B is not. 

A+,B+ ::= Q+ \ \A~ | _L | OA+ \ UA+ 
A~,B~ ::= Q~ \ \A+ j A + D B~ 

Each atomic proposition can be positive or negative, but never both, as if each 
atomic proposition in the un-polarized logic was always already intrinsically positive 
or negative and our previous natural deduction and sequent calculi were unable to 
notice. 

Both of the modal operators in constructive provability logic are naturally posi- 
tive on the outside. However, our choice of the polarity for the proposition inside 
the modality appears to be arbitrary: OA + and OA~ would both be reasonable 
ways to polarize the possibility modality. Polarization of propositions is a property 
that affects proofs, not provability, so the modalities OA and OA, which, in con- 
structive provability logic, only care about the provability of the sub-formula A, are 
naturally indifferent to the treatment of A as a positive or negative proposition. 
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C~ stable- w -<* w' T, ±A~ [w'] S> A" [w'] > C~ [w] 
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\/w.w' <w — > V; ■ i> -\A+ [w] — ► r ; • s> C~ [w"] 
_LL : OL 

r-±[w'}^c-[w] r-,oA+[w']^c-[w"] 

(Ww.w' — >T;- S^fA+H) — > T;-*>C-[w"] T S»[A+H] 

; □ L ; "\R 

T;UA+[w'\*>C-[w"\ T;- *>^A+[w] 



r A~[w'] > C~[w] 



QL- ' -r-^ L - L - \L 

rs»Q-H>Q"M r^iA+K] > c~[w] 

r^[A+[w']] r *>b-[ w '\ >C"H 
r a+ 5 B"K] > c~H 3i 

Fig. 4. Focused sequent calculus for intuitionistic CPL* 



To develop the focused calculus, we require three types of sequent: a right fo- 
cus sequent T =^> \A + [w]\, describing a state where non-invertible right rules are 
applied to positive propositions; a left focus sequent V ^> A~[w'} 3> C~[w], where 
non-invertible left rules are applied to negative propositions (we typically say that 
the proposition A~ is under focus); and an inversion sequent I 1 ; O =^> de- 
scribing everything else (the additional context 0, which is either • or a single 
judgment is called the inversion context). We define the system in such a 

way that whenever the inversion context is non-empty, there is only one applicable 
rule - the one that decomposes the connective in the inversion context. We require 
two additional judgments, A + stable + and A~ stable^ , which restrict the inversion 
phase. The rules defining the focused CPL* sequent calculus are given in Fig. 4. 

Validating the judgmental principles is quite complex in focused CPL*; the proof 
adapts techniques used in the analogous proofs for CPL as well as the structural 
focalization techniques described by Simmons [2011]. The generalized weakening 
principle is established in FocusedCPL/Weakening. agda. The substitution prin- 
ciple is established as a corollary of the cut admissibility which is established in 
FocusedCPL/Cut.agda. Notably, in order to prove the substitution theorem, we 
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Fig. 5. Polarization of propositions and contexts 

must simultaneously prove a a backwards substitution theorem establishing that 
T; • ^> A[w] and T; ■ ^> C[w'] together imply T; ■ =^> C[w']; this fact does not follow 
from generalized weakening when w' -< + w. Finally, the hypothesis principle is 
established as a corollary of identity expansion in FocusedCPL/Identity.agda. 

We only establish a weak form of equivalence between the focused sequent calcu- 
lus and the natural deduction system; we define a polarization strategy (Figure 5) 
that maps unpolarized propositions and contexts to polarized ones. It is more 
robust to define equivalence on the basis of erasing polarized propositions and con- 
texts to unpolarized ones [Simmons 2011], but this formulation is sufficient for our 
purposes. 

Theorem 5 Equivalence, r F A[w] if and only ifT®; ■ ^> A G [w] 

Proof. Both directions must be proved simultaneously, primarily by induction 
on the accessibility relation and secondarily by structural induction on the given 
derivation. The forward direction uses the metatheory of the focused sequent cal- 
culus and is structured similarly to the proof in [Simmons 2011], and the reverse 
direction uses the defining principles of the natural deduction system (Theorem 4). 
The proof appears in DetetheredCPL/Equiv. agda in the Agda development. □ 

4. LOGIC PROGRAMMING IN CONSTRUCTIVE PROVABILITY LOGIC 

Proving the natural deduction system for CPL* equivalent to a focused presenta- 
tion of the logic is a lot of work, but the payoff is that the focused sequent calculus 
can form the basis of a logic programming language [Miller et al. 1991; Andreoli 
1992]. We will use an extremely simplified example here: translating a proposi- 
tional Horn clause logic program with stratified negation where there are only two 
strata. In this section, atomic propositions in the first strata will be written with 
the metavariable Q, and atomic propositions in the second strata will be written 
with the metavariable P. 

Atomic propositions Q can appear at the head of Horn clauses of the form 
Q :- Qi, . . . ,Q n in the logic program; atomic propositions P can appear at the 
head of Horn clauses of the form P : - A\ , . . . , A n in the logic program, where 
each Ai is either an atomic proposition Pj, an atomic proposition Qi, or a negated 
atomic proposition ~^Qi. We will use the worlds (3 and 7 (where /3 ~< 7) from 
our running example. Each first-strata Horn clause Q : - Q\, . . . , Q n is translated 
into a judgment i(Qi D . . . D Q n 3 tQ)[7L an d each second-strata Horn clause 



17 



P :- Ai, . . . ,A n is translated into a judgment i(A* D . . . D A' n D t-P)[/3], where 
(Pi)' = Pi, {Qi)' = UQ U and (->Qi)* = U(°Qt) t-L)- (Note that this implies 
a positive polarity for all atomic propositions.) We name the context obtained by 
translating our Horn clause logic program T. 

Searching for a proof of a proposition P using bottom-up logic programming 
can be characterized as a two phase proof search procedure for proofs of the term 
T, T'; • =^> \P\ff\, where we always maintain the invariant that T,r'; • =^> \P\ff\ is 
provable if and only if T; ■ ^> \P\f3\ is provable. 

In the first phase, we only focus on hypotheses in T with the form l(Qi D . . . D 
Qn 3 tO) [7]- Because focusing on such a proposition will succeed exactly when 
Qi[j] € T' for each of the Qi, it is always possible to determine the entire set of Qk 
that are immediate consequences of the rules in T and atomic propositions in T' . 
Given a sequent T, V; ■ ^> \P[P] that is true if and only if T; ■ ^> tP[0], we determine 
the immediate (first-strata) consequences T imm of (r, By repeated focusing 
steps, we can show T, (V U T imm ); • =^> ^P\0\ implies T, T'; • =^> tP[P], an d we can 
show the converse by the reverse substitution principle discussed in the previous 
section. This in turns means that we have a new sequent T, (V U T imm ); ■ 4> tP[P] 
which is true if and only if T; • t-P[/3]- If T' 2 ^imm, we repeat the first phase. 
Otherwise V D T imm , so all the immediate consequences Q of (r, T') are already 
present in T' . In this case, we say we have reached saturation at 7 and continue to 
the second phase. 

The second phase relies on the fact that, if all of the immediate consequences 
Q of (r,T') are already present in T' , then T,r'; • ^> tQ[l] is provable if and only 
if QYi\ € (r, r'). This means that we have an effective decision procedure for the 
provability of first-strata propositions Q. Thus, the second phase proceeds the same 
as the first, focusing instead on hypotheses in T with the form i(A* D . . . D A* n D 
t-P) [/?] ■ Focusing on such a rule will succeed exactly when: 

—for each A\ = P u P l [j3] e V , 

— for each A* = UQ U Qi[y] £ T' , and 

-for each A* = |((DQ 4 ) D t-L), QAl] t V. 

Therefore, given that (r, T') is saturated at 7, we can also determine the entire 
set of second-strata propositions that are immediate consequences of (I\ We 
proceed as before, and once we have reached saturation at fi as well, we can declare 
the original sequent T; ■ =^> tP[P] provable if and only if P[j3] e V for the final 
saturated V . 

5. AXIOMATIC CHARACTERIZATION 

In this section, we present a sound Hilbert-style proof theory for CPL and CPL*. 
The desired interpretation of lh A is that it implies that, for all converse well- 
founded accessibility relations and contexts T, it is the case that T h A[w] (in CPL). 
Similarly, the desired interpretation of IF A is that, for all converse well-founded 
accessibility relations and contexts T, it is the case that T F A[w] (in CPL*). We 
will write IP A to indicate results that hold in both CPL and CPL*. 

This section only considers soundness results for Hilbert-style reasoning; we do 
not claim the converse, which would be a completeness result. However, when 
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we claim that a particular formula is not an axiom of CPL or CPL*, we always 
can demonstrate a particular accessibility relation, world, and instance A of the 
said formula such that there is no proof of V h A[w] or T P A[w}. For instance, 
Q[a] \-(^OQ D D^Q)[a] is unprovable, 2 so the classically true De Morgan axiom 
-nOA D D->A docs not hold in CPL. Some axioms, like DA D an A, only hold in 
general when the accessibility relation is transitive; these are indicated. 

Both proofs and counterexamples for CPL and CPL* can be found in 
TetheredCPL/Axioms . agda and in DetetheredCPL/Axioms . agda (respectively) in 
the Agda development. 

5.1 Intuitionistic modal logic 

All of the axioms of intuitionistic propositional logic are true in both variants of 
constructive provability logic, as are the fundamental rules and axioms of intuition- 
istic modal logic. It is less clear what other axioms characterize intuitionistic modal 
logic; some of the axioms of Simpson's IK hold in neither Pfenning-Davies S4 nor 
in constructive provability logic. 

Theorem 6 Intuitionistic modal logic. 

(MP) Ih A D B and Ih A imply Ih B, and IP A D B and IF A imply IF B 

(I) IP A D A 

(K) IP A D B D A 

(S) IP (A D BdC)d(Ad B)d AdC 

(±E) IP _L D A 

(NEC) Ih A implies Ih DA, and IP A implies IP UA 

(KO) IP U(A D B) D DA D UB 

(KO) IP D(A D B) D OA D OB 

(4 a ) IP OA D DDA (if the accessibility relation is transitive) 

(OJ_) IP -Oi_ 

(^O) IP OOA D OA (if the accessibility relation is transitive) 

^Oi_ is not an axiom of CPL, and (OA D OB) D D(A D B) is not an axiom of 
either variant. 

If the accessibility relation is transitive, CPL* admits the axioms of Pfenning- 
Davies S4, plus (OJ_), which holds in IK but not in Pfenning-Davies S4. We have 
not been able establish the status of axiom in CPL. 

Simpson's thesis presents axioms characterizing other properties of accessibility 
relations besides transitivity, but all these properties (e.g. symmetry) are inconsis- 
tent with converse well-foundedness, so we ignore them here. 

5.2 Provability logic 

Exploring the connection between constructive provability logic and provability 
logic was one of the motivations of this work. The most common characterization 
of provability logic is the GL axiom. Since GL can be used to prove the 4 O axiom 
[Verbrugge 2010], it is not surprising that this axiom requires a transitive accessi- 
bility relation. The other standard characterization of provability logic is the Lob 



2 ^A is the usual intuitionistic negation ADl 
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rule. The Lob rule is almost always presented together with axiom ensuring 
transitivity of the accessibility relation, but it is interesting to observe that the Lob 
rule, unlike the GL axiom, holds even without a transitive accessibility relation. 

Theorem 7 Provability logic. 

(GL) IP □(□A D A) D OA (if the accessibility relation is transitive) 

(Lob) lh DA D A implies lh A, and IF UA D A implies IF A 

Unlike the proofs of Theorem 6, both parts of Theorem 7 are proved by induction 
over the accessibility relation. 

5.3 De Morgan laws 

The interaction between negation and the modal operators is frequently an in- 
teresting ground for exploration. In classical modal logic, OA is just defined as 
-■□-iA, and so all four of the De Morgan laws - (O^A D ->OA), (a^A D ->OA), 
(-.OA D D-i-A), and (-.a A D O^A) - hold trivially. The first three hold in Simp- 
son's IK, and none hold in Pfcnning-Davies S4. In CPL* two of the four hold, and 
in CPL the same two hold only if we make certain assumptions about consistency 
at accessible worlds. 

Theorem 8 De Morgan laws. 

—In CPL* 7 IF O-.A D ->OA and IF n-,A D -.OA. 

— In CPL, neither O^A D ->OA nor U-iA D ^OA are axioms. 

—In CPL, both T O^A D ->nA[w] and T U-tA D ^OA[w] are true if there 

is no w -< w' such that T => -L[w']. 
— ^OA D D-iA is not an axiom of CPL or CPL*. 
— -iUA D O^A is not an axiom o/ CPL or CPL*. 

6. CONCLUSION 

In this article, we have given natural deduction and sequent calculus presentations 
for two variants of constructive provability logic, a modal logic with reflection over 
both accessibility and provability. The standard judgmental principles of all four 
deductive systems were presented and formalized in the Agda proof assistant (with 
some caveats described in Section 1.4). Furthermore, through a focused sequent 
calculus presentation, we produced a sketch of how constructive provability logic 
can be used as a intuitionistic and proof-theoretic justification for stratified negation 
in logic programming. Finally, as customary in most works on provability logic, we 
gave a axiomatic characterization of constructive provability logic and showed that 
most of the standard axioms of provability logic are sound with respect to our proof 
theoretic presentation. 

6.1 Related work 

There has been a substantial amount of research on provability logic throughout the 
years. The early research on the topic focused on axiomatic presentations of prov- 
ability logic and its implications for the foundations of mathematics. More recently, 
there has been interest in the proof theoretic aspects of provability logic, mostly 
following the cut elimination result of Valentini [1983]. However, most research in 
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provability logic focuses on classical logic (a detailed survey is given in [Artemov 
and Beklemishev 2004] ) . Intuitionistic formulations of provability logic have histor- 
ically been much less explored, with some notable exceptions. For a more detailed 
historical account of intuitionistic provability logic, as well as a development of a 
provability logic for intuitionistic arithmetic, see [Iemhoff 2001]. 

Our line of work departs substantially from previous presentations, even from 
intuitionistic variants of provability logic. Natural deduction systems for provability 
logic are also not very common in the literature, given the historical bias towards 
axiomatic systems. Furthermore, most existing sequent calculi for provability logic 
are classical, and do not make use of explicit worlds nor reflection, which arise as a 
natural way of representing provability logic through the judgmental methodology, 
and thus are substantially different from our own. A focused sequent calculus for 
provability logic is also, to the best of our knowledge, unheard of. 

6.2 Future work 

This work introduces propositional constructive logic programming as a modal logic. 
The only major shortcoming to our treatment of CPL and CPL* as modal logics 
is that we do not know how to formulate or prove the completeness of our system 
with respect to a Hilbert-style presentation. It is not at all clear how this deficiency 
can be overcome. It may require the introduction of a notion of validity similar 
to the validity considered by Pfenning and Davies [2001], and it also may require 
more fundamental changes to the logic, such as making the computational content 
of the higher order rule formulations more explicit. 

In contrast to our relatively thorough investigation of CPL and CPL* as modal 
logics, we have only barely scratched the surface of understanding the possible 
applications of constructive provability logic as the basis for proof search and logic 
programming. We ultimately wish to use constructive provability logic to justify 
the L10 logic programming language, a rich forward-chaining language that uses 
worlds to enable both distributed logic programming and locally stratified negation 
[Simmons et al. 2011]. To do so, we require a satisfactory treatment of first-order 
quantification in constructive provability logic, as the account in this paper was 
entirely propositional. In addition, it is likely that a hybrid modal operator A@w 
will prove to be more useful than the traditional modal operators OA and OA, but 
this is a minor change from a proof-theoretic perspective. 

Horn-clause logic programming is only the simplest logic programming appli- 
cation of constructive provability logic; the focused presentation of CPL* imme- 
diately opens the door to the principled addition of stratified negation to more 
interesting logic programming languages, such as higher-order logic programming 
languages like AProlog and Twelf. We also believe that constructive provability 
logic with nominal quantification could be presented as a generalization of the Bed- 
wyr language, which synthesizes model checking and logic programming [Baelde 
et al. 2007]. 

Finally, provability logic is quite important in other areas of computer science, 
particularly as the basis for the approximation or delay modality > used to model 
programming languages [Nakano 2000; Richards 2010]. We hope to better under- 
stand whether and how constructive provability logic can relate to this line of work. 
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